This deck will explore how you can integrate “Sign in with Apple” with your enterprise software using a zero-code approach. It discusses what is “Sign in with Apple”, what CIAM challenges does “Sign in with Apple” pose, and how you can leverage WSO2 Identity Server to integrate with “Sign in with Apple”.
Watch the on-demand webinar here: https://wso2.com/library/webinars/2019/07/sign-in-with-apple-a-zero-code-integration-approach-using-wso2-identity-server/
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
1. IDENTITY SERVER
IDENTITY SERVER
Sign In with Apple:
A Zero-Code Integration Approach Using
WSO2 Identity Server
Ishara Karunarathna
Senior Technical Lead
July 10, 2019
Farasath Ahamed
Associate Technical Lead
3. IDENTITY SERVER
Sign In with Apple
● Introduced in WWDC19
● Built on four main aspects,
○ Privacy
○ Built in Security
○ Works everywhere
○ Antifraud
5. IDENTITY SERVER
Why Worry About “Sign In with Apple” At All,
● Large ecosystem with 1.4 billion Apple ID accounts
● Allows users with Apple IDs to use their existing account
to sign into third-party apps
● Future de facto authentication mechanism for iOS apps
● Enhances Security
○ Enforces strong authentication
○ User consent
○ Pseudo identifier per application
7. IDENTITY SERVER
The “Sign In with Apple” Flow
● Login API for developers
● Follows a flow similar to OpenID Connect
● A two step login process,
○ Redirect to apple’s authorize endpoint and get a code after
authenticating the user
○ Exchange the code and obtain an id_token with user
information
14. IDENTITY SERVER
● Since “Sign in Apple” seems to be deviating from the standard
OpenID Connect flow, there are few security implications
introduced as a result
○ ‘nonce’ parameter sent in request in not returned to the app
○ Does not use PKCE - susceptible to code interception attacks
○ ‘prompt’ does not work as expected
“Open Letter from the OpenID Foundation to Apple Regarding Sign
In with Apple”
Security Considerations
16. IDENTITY SERVER
● Lack of documentation
● Deviations from the standard OpenID Connect flow
○ Client Secret generation
● Applications that do not support OpenID Connect cannot
support “Sign in with Apple” without modification
● Supporting multiple login options
● Implementing typical IAM use cases need information beyond
the user identifier
Development Challenges
18. IDENTITY SERVER
Step1: Make your app speak in a standard
● Communicating in a standard protocol enables your app
to be vendor neutral and eases integration with IAM
providers.
19. IDENTITY SERVER
Step2: Implement “Sign In with Apple” through OIDC
Federation
● Add Apple as a trusted Identity provider
● Engage “Sign in with Apple” to the authentication flow
26. IDENTITY SERVER
About WSO2 Identity Server
Fully Open Source
(Apache 2.0 open source license)
Inherent extensibility for building tailor-made
IAM platform
100+m identities managed worldwide
150+ production customers globally and 500+
educational institutes
24*7 support for the production customers
Globally operating - main offices in USA, UK,
Germany, Brazil, Australia, and Sri Lanka
Product leader in LC: Access
Management and Federation
Innovation leader in LC: CIAM
27. IDENTITY SERVER
● https://medium.com/@janakda/how-to-configure-sign-in-with-apple-77c6
1e336003
● https://medium.com/@farasath/sign-in-with-apple-using-wso2-identity-se
rver-893cd47f3f5c
● https://medium.com/@isharaaruna/what-is-apple-sign-in-challenges-and-
way-forward-with-wso2-identity-server-f1faa1b715cc
● https://wso2.com/blogs/thesource/tag/sign-in-with-apple/
If you like to try it out “Sign in with Apple” using WSO2
Identity Server,